2018-09-14

IceCTF2018-Pokeamango

Question

Solution

開左個app黎睇 , 係極簡化版既 pokemonGO , d mango會係地圖到show出黎 , 禁落去就會開相機 , 禁隻mango就會捉左
但係要捉150隻手動真係不了

Decompile完之後見到 asserts/www/ , 隻app似乎 d logic係晒 web到
見到map.js有段係

var updateMap = function() {
  console.log("updating map");
  map.setCenter(currentPos);

  // Clear mangos
  for (var i = 0; i < mangos.length; i++) {
    mangos[i].setMap(null);
  }
  mangos = [];

  var user = new google.maps.Marker({
    position: currentPos,
    map: map,
    icon: 'img/user_marker.png'
  });

  // You're my favorite mango
  mangos.push(user);

  var payload = {
    lat: currentPos.lat,
    long: currentPos.lng
  }

  payload["uuid"] = uuid

  $.post("http://pokeamango.vuln.icec.tf/mango/list", payload, function(results){
    var data = results["mangos"];
    for (var i = 0; i < data.length; i++) {
      var place = data[i];

      var mango = new google.maps.Marker({
        position: place,
        map: map,
        icon: 'img/mangie_marker.png'
      });

      mangos.push(mango);

      mango.addListener('click', function(event){
        window.name = (currentPos.lat()) + "," + (currentPos.lng()) + "," + (this.getPosition().lat()) + "," + (this.getPosition().lng());
        window.location.href = "camera.html";
      });
    }
  });
};

似乎

1	http://pokeamango.vuln.icec.tf/mango/list

係用黎list d mongo出黎

睇埋 map.js

function catchMango() {
  var payload = {
    "curLat": currentPosLat,
    "curLong": currentPosLng,
    "mangoLat": mangoPosLat,
    "mangoLong": mangoPosLng,
    "uuid": device.uuid
  };

    $.post("http://pokeamango.vuln.icec.tf/mango/catch", payload, function(results){

    window.plugins.toast.showLongBottom(results["message"], function(a){console.log('toast success: ' + a)}, function(b){alert('toast error: ' + b)})
    $("#mango").removeClass("bounce infinite");
    $("#mango").addClass("bounceOutRight");
    setTimeout(function(){ window.location.href = "map.html"; }, 1000);
  });
};

咁有齊料自動捉mango啦

import requests
import json

uuid = "46fc1c22626b960c"
currentLat = "22.3208988"
currentLng = "114.1891175"
while True:
	c = requests.post("http://pokeamango.vuln.icec.tf/mango/list", data={'lat':currentLat, 'long':currentLng, 'uuid':uuid}).text
	print c
	j = json.loads(c)
	if j['mangos'] != []:
		for m in j['mangos']:
			lat = m['lat']
			lng = m['lng']
			print requests.post("http://pokeamango.vuln.icec.tf/mango/catch", data={'uuid':uuid, 'curLat':currentLat, 'curLong':currentLng, 'mangoLat':lat, 'mangoLong':lng}).text
			print "Count: " + requests.post("http://pokeamango.vuln.icec.tf/mango/count", data={'uuid':uuid}).text
"""
{
	"mangos": [{
		"lat": 22.319894,
		"lng": 114.232087
	}],
	"token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1dWlkIjoiNDZmYzFjMjI2MjZiOTYwYyJ9._qZPGKdWiHoRa5Jq0OgLwZC-9-nwZD8VYONsCtuM_b8"
}
"""

當捉到無野捉之後 , 轉一個個currentLat , currentLng就可以繼續行